cancel
Showing results for 
Search instead for 
Did you mean: 
btlyric
Level 12

Enable Certificate Verification + Bypass SSL Content Inspection

I'm testing a rule set that will skip SSL content inspection for a set of connections when one of the criteria is that the SSL Certificate CN matches in a specific list.

It looks something like this:

New Rule Set

   Top level criteria: Command.Name equals CONNECT or Command.Name equals CERTVERIFY

Set Client Context for SSL

   Criteria: Command.Name equals CONNECT

   Action:   Continue

   Event:   Enable SSL Client Context with CA <Default CA>

Enable Certificate Verification

   Criteria: Command.Name equals CONNECT AND URL.Destination.IP matches in list LIST

   Action:   Stop Cycle

   Event:    Enable SSL Scanner <Default Certificate Verification>

Skip SSL Inspection

   Criteria: URL.Destination.IP matches in list LIST AND SSL.Server.Certificate.CN matches in list CN-list AND  SSL.Server.Certificate.DaysExpired less than 7 and SSL.Server.CertificateChain.ContainsRevoked<CAs> equals false

   Action:   Stop Cycle

This appears to work as expected, but I was wondering if there were any gotchas I should take into consideration.

Thanks!

0 Kudos
4 Replies
eelsasser
Level 15

Re: Enable Certificate Verification + Bypass SSL Content Inspection

Do you want authentication?

A Stop Cycle would stop before authentication occurs.

0 Kudos
btlyric
Level 12

Re: Enable Certificate Verification + Bypass SSL Content Inspection

Don't want or need authentication for this particular rule set.

0 Kudos
btlyric
Level 12

Re: Enable Certificate Verification + Bypass SSL Content Inspection

As an addenum -- is there any reason to NOT enable certificate verification up near the top of the rule set?

For example...

Rule Set Near Top:

Command.Name equals CONNECT

Enable SSL Client Context

Enable Certificate Verification

followed by auth, other rule sets, and the rest of the SSL handling further down.

consoul
Level 9

Re: Enable Certificate Verification + Bypass SSL Content Inspection

I would love a reply to btlyric's last question, it intrigues me.

0 Kudos